Forgot your password?
typodupeerror
Bug Microsoft Security The Almighty Buck IT

Microsoft Says No To Paying Bug Bounties 148

Posted by timothy
from the like-mel-gibson-in-ransom dept.
Trailrunner7 writes "In the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000 range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties. 'We value the researcher ecosystem, and show that in a variety of ways, but we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial. It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,' Microsoft's Jerry Bryant said."
This discussion has been archived. No new comments can be posted.

Microsoft Says No To Paying Bug Bounties

Comments Filter:
  • by MeNotU (1362683) on Friday July 23, 2010 @08:09AM (#33001594)
    Or it could be because they would be bankrupt within the week.
    • by kubitus (927806)
      you beat me with this answer!
    • Re: (Score:3, Funny)

      by Anonymous Coward

      Microsoft: As good at security as Linux users are at doing sex with girls

      • by Anonymous Coward on Friday July 23, 2010 @08:30AM (#33001732)

        as well witnessed by the linux user who refers to it as "doing sex"

    • Re: (Score:2, Insightful)

      by ergrthjuyt (1856764)

      Or it could be because they would be bankrupt within the week.

      But why? It's not like there's likely to be millions and millions of bugs that Microsoft doesn't already know about. Bounties are only awarded for previously unreported bugs, otherwise there would be no limit to how much anyone could collect from the company. It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.

      • by SkunkPussy (85271)

        The joke was that microsoft's software is so bug-ridden that people will find so many unreported bugs that microsoft will go bankrupt.

      • by thoth (7907) on Friday July 23, 2010 @10:13AM (#33002572) Journal

        It is doubtful that Microsoft's decision was primarily because of what it would actually cost them in payouts.

        I agree... we can make fun of how much money this would cost Microsoft, but they can afford it. It is obvious they don't want to for. Some possible reasons:

        1) Announcing a paying bug bounty, like Knuth had with TeX, implies the code is so high quality they are looking for the last few issues. But they have a very large attack surface area, and their code is constantly changing.

        2) They've spent millions educating their developers and testers over secure coding and testing practices, and to be fair have made good progress. Announcing a paying bug bounty probably irriates the bean counters who are asking, aren't we already paying for people to work on security issues?

        3) Cultural issue? Mozilla and Google are willing to do it, and they have extensive experience in free/open source software. Microsoft, not so much.

        It is interesting they don't want to do it though.

        • Might also have to do with the fact that their products are closed source. Certainly makes it harder to do anything much more than brute force guess-and-check type exploits.
    • by mcgrew (92797) * on Friday July 23, 2010 @08:41AM (#33001792) Homepage Journal

      It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"

      And they modded you "funny" but you're absolutely right, sorta, even if a little exagerated; they have more far more dollars than sense. Well, maybe not sense; ethics.

      • Re: (Score:3, Insightful)

        by mqduck (232646)

        It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"

        I think it's simpler than that. They're thinking "why pay for a bug report when you don't have to?" They said it themselves, "we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial." Is there any lack of people willing to expose Windows bugs already?

      • Re: (Score:2, Troll)

        by drsmithy (35869)

        It's because to Microsoft, and undiscovered bug is a nonexistant bug. Their "security" model has always been "security through obscurity". Their philosophy is "why fix a bug if you don't have to?"

        Yet they proactively fix bugs and distribute those fixes at no cost. Strange.

    • by v1 (525388) on Friday July 23, 2010 @10:33AM (#33002834) Homepage Journal

      That was the first thing that came to my mind. Though on consideration it would take quite a lot to bankrupt MS.

      But the unfortunate thing here is there's already a thriving market for zero-day MS bugs. These get bought and sold already on a daily basis on the underground malware networks. You've already got groups of people that make a living out of finding bugs in your software and selling them on that black market. Instead of letting them sell them to people that are basically your competitors, (or at least your PR antichrists) it makes sense to either hire them or become their best customer. either of which them will either kill or severely depress the market for exploits. Once MS becomes a bidder for the exploits, with its deep pockets, that alone will drive a lot of the malware authors out of business because they will no longer be able to afford to bid on a new zero-day to keep their malware effective as MS gets things patched at a highly accelerated rate.

      What they have here is an opportunity, and I can't believe they're going to let it slide. Makes me wonder if someone's ego/pride is driving their decision here, rather than good business sense? Even in the short term I don't see any way that this could be anything but a monetary win. Unless they think (again, in their pride and obstinence?) that they're so big now that they don't need to be bothered with improving their image or reputation anymore. Or maybe they've already considered this and it is unfortunately in their best interest to let their customers twist in the wind rather than spend a few bucks.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Because they would have to have a system where bugs are identified and tracked.
      Telling researcher X that that hole was KNOWN for 2.5 years but not fixed would cause plenty of embarrassment and negative publicity.

      For Microsoft, Honest is not the best policy - they are more of a let the dog sleep company, good enough type company.

  • by rah1420 (234198) <rah1420@gmail.com> on Friday July 23, 2010 @08:10AM (#33001598)

    "we don't think paying a per-vuln bounty is the best way."

    -- er

    "We can't afford the hit to our bottom line if we were to start paying people to find the bugs in our software."

    • Re: (Score:2, Interesting)

      by ergrthjuyt (1856764)
      A lot of Microsoft teams have more test engineers than dev engineers. On more mature products, it has been this way for decades now. So your jab, while comical, is far from the truth.
      • Re:Translation: (Score:4, Insightful)

        by msauve (701917) on Friday July 23, 2010 @08:40AM (#33001786)
        Actually, your claim supports his.

        If there weren't lots of bugs to be found, they wouldn't need so many test engineers. Are you trying to claim that all those test engineers find all the vulnerabilities in MS products before release? That would be the truly comical claim.
        • Re: (Score:2, Insightful)

          by ergrthjuyt (1856764)
          Actually, my claim doesn't support his. He claimed that Microsoft "can't afford" or chooses not to pay people to find bugs in their software. I asserted this was false because of the large number of (well paid) test engineers whose full time jobs are to find bugs.

          Are you trying to claim that all those test engineers find all the vulnerabilities in MS products before release?

          I never even came close to making such a claim. Nice try though.

          If there weren't lots of bugs to be found, they wouldn't need so many test engineers.

          I'm not sure what point you're trying to make. Anyone with even rudimentary exposure to software development or testing theory understands that having tests is not a sign that a prod

          • Re:Translation: (Score:4, Insightful)

            by msauve (701917) on Friday July 23, 2010 @10:11AM (#33002548)
            As they say, "the proof's in the pudding." MS has earned a reputation for vulnerabilities in their software. You seem to be equating "bugs" with "vulnerabilities." The latter is a subset of the former. How many of those "large number of (well paid) test engineers whose full time jobs are to find bugs" are focused on discovering new vulnerabilities, as opposed to simply doing regression testing vs. a defined feature set?

            And, since your argument now seems to be that money is not what drives people to find vulnerabilities (which is what MS was arguing, according to the summary, and what the OP was ridiculing), what do you propose drives the "bad guys" to find them?
            • You seem to be equating "bugs" with "vulnerabilities." The latter is a subset of the former

              A saying popular with the OpenBSD team seems appropriate here:

              The difference between a bug and a vulnerability is the intelligence of the attacker.

              A lot of non-exploitable bugs have, in the past, turned out to be vulnerabilities when someone else looked at how to attack them.

            • Re: (Score:3, Informative)

              by Muad'Dave (255648)

              As they say, "the proof's in the pudding."

              That's how it has been corrupted over time. The actual quote [worldwidewords.org] is, "The proof of the pudding is in the eating."

              From that article:

              "The full proverb is indeed the proof of the pudding is in the eating and proof has the sense of “test” (as it also has, or used to have, in phrases such as proving-ground and printer’s proof). The proverb literally says that you won’t know whether food has been cooked properly until you try it. Or, putting it figurat

      • by gorzek (647352)

        That's seriously fucked up. The last company I worked at had about 1/3 as many QA testers as developers, and that was still more than the industry norm.

        If your product has more testers than developers you are dealing with a seriously flawed product and/or development process.

        • Re: (Score:3, Insightful)

          by Zironic (1112127)

          Or just a really big product?

        • Re: (Score:1, Troll)

          by Rogerborg (306625)
          Aw, that's so cute. One day, when you're a big boy and work on real products, with real, steady, repeat customers, we'll talk.
        • Re: (Score:3, Insightful)

          by rtb61 (674572)

          What happened was M$ went really performance based in their bonus schemes, the more code you produced the more you got paid and the quicker you produced that code the sooner you got your money. Catch with that, performance often does not equal quality and unwittingly they penalised coders who produced well crafted, carefully thought out, compact code (the code you actually want). They did this for long enough to establish bad bloated coding styles as the norm, hence the problem.

          Why M$ wont pay for bug bo

      • by mcgrew (92797) *

        You give real engineers a bad name, then. It's been said (I think it's someone's /. sig) that if bridges were engineered like software, one would collapse every day.

        Sorry, I think MS won't open their source because they're ashamed of it.

        • by haruchai (17472)

          Here's another - If houses were built the way software is built, the first termite would've destroyed civilization

        • If software were built like bridges, then your word processor would be a typewriter.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      There's worse...

      "We can't afford to get into a bidding war with malware authors."

    • Alternatively:

      "We spend a lot of money hidding our bugs from the community, why should we spend more money on people that discovers them?"

  • ROI (Score:5, Funny)

    by theskipper (461997) on Friday July 23, 2010 @08:17AM (#33001650)

    "We don't care, we don't have to...we're the operating system company."

    • Re: (Score:3, Informative)

      by mcgrew (92797) *

      Attribution: Lily Tomlin's "Ernestine the telephone operator", referring to the then monopoly AT&T (We don't care, we don't have to...we're the phone company), for the younger slashdotters who weren't around when AT&T owned every telephone in America (back then you had to rent your phone).

  • by ICLKennyG (899257) on Friday July 23, 2010 @08:18AM (#33001654)
    About 15 years ago they made a long term investment to running their image into the ground so people would hate them so much that they would be willing to find the bugs for free. It's been working well for a long time, and at this point they have already written the check, why switch.

    Microsoft sucks! I'll prove it, look at this random arbitrary glitch in the way they handle SMTP requests.

    Thank you very much, fixed. Next!

    Crazy like a fox (news anchor).
    • "Thank you very much, fixed. Next! "

      Up untill that sentence all you were saying made a lot of sense. But that simply blows everything up.

      • by KarmaMB84 (743001)
        Actually it makes sense if you change it to:

        "Thank you very much, fixed in the next release. It's going to be a great upgrade that pumps up our quarterly earnings to new heights. Next! "

  • I guess MS has a new suit of security tech invisible to those unfit for their positions or just hopelessly stupid.
    MS knows its coding nothing at all but marketing has them coding in the finest suit of software.
    With is masterstroke, no cry of "But they are developing anything at all!" will never gain traction.
    They are safe to wonder around the walled gardens.
  • Interesting... (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Friday July 23, 2010 @08:21AM (#33001678) Journal
    There are certainly downsides to the bounty approach(once you put money on the table, priority disputes turn from prima donna drama bullshit into actual-with-lawyers drama shit; not to mention the hideous quibbling about exactly what constitutes a "vulnerability", how severe it is, and so forth).

    On the other hand, handing out hard cash, in addition to credit, can certainly be motivational(yes, the monetary rewards on the criminal side will always be better; but I'd wager that there are a lot of people who would take 'steady job with some research firm, at dev/analyst pay levels+occasional fun money bounties+credit, all legal' over 'substantial monetary rewards, clandestine work for unsavory and occasionally downright problematic characters, nontrivial legal exposure'), and one might expect that MS, with their formidable war chest and serious security issues(both actual and perception-based) would find a way of converting fairly modest amounts of money into additional security. Particularly since(with the exception of Google's pet projects, and maybe a handful of other high-profile OSS projects) they could easily afford to bid better for vulnerability reports that team FOSS could, which would seem like a natural marketing bullet point...
    • Re:Interesting... (Score:5, Insightful)

      by iamhigh (1252742) on Friday July 23, 2010 @09:12AM (#33001998)
      It's also a little disingenuous to compare MS to Google here. The attack surface area is at least much different; Google worries about what comes over a few ports; MS worries about that, plus locally run malware, not to mention supporting a million hardware devices and all the extras that running a generic use OS.

      How about we compare MS to Apple - and neither pays for bug/vulnerability finds.
      • My comparison was merely in the service of expressing surprise: Given that Microsoft has OSS competitors, most of which are extremely poor(other than a couple of well-sugar-daddied projects), I would have expected them to adopt some sort of vulnerability payment scheme as a PR move(Look at the benefits of quality proprietary software, where we care so much that we pay for bug reports, unlike those penniless hippies), in addition to the practical benefits of scoring a few more bug reports.

        Based on the ass
      • by Bryansix (761547)

        How about we compare MS to Apple - and neither pays for bug/vulnerability finds.

        Both of them are headed by guys with the first name Steve and both of those guys are just about equally hated for their prideful arrogance and inability to admit to mistakes. Hmm, I think you might be onto something here...

  • It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update

    Yea, because we all know that people really value having their name in a newsletter over having their name in a newsletter AND a few thousand dollars....

  • Apart from the people who like to research security vulnerabilities for the fun of it, what other motivation is there? If you run a security company and finding vulns is good PR, or you're running botnets and making money from spamming and phising, or you're targeting companies for data theft, it seems like the motivations are almost always financial.

    At least if you paid a bounty, you might convince a couple of the part time security researchers to make a quick buck or two - a little incentive might pay so

    • The motivation is largely financial; but I think that there are a couple of psychologically salient wrinkles:

      PR is financial in the sense that it is basically a flavor of advertising; but it is also the case that (some people) really do derive happiness from being seen as rockstars/badasses. As in the music/entertainment business, being seen as a rockstar is also a sound financial move; but it it something that certain sorts of people really do value for its own sake.

      (Most) people respond differently
  • by FuckingNickName (1362625) on Friday July 23, 2010 @08:28AM (#33001714) Journal

    They're right. Banks don't pay people who find ways to get into their vaults.

    You're going to get better results by employing researchers with an interest in computer security. Unfortunately, these are hard to find, and most people claiming to be in "IT security" are actually just PR handwavers, egotists and people who know how to install Snort and write a few lines of Perl (I'm tempted to identify a few fairly well-known people by name, but you never start a fight with an idiot with a hammer and a conviction on appropriateness to use it...).

    Fortunately, MS has the resources to find, pay and provide the right environment for such people. Hell, it has a research group which dwarfs Google in terms of variety of output and leaves Apple holding the baton wrongly at the starting line. I'm not sure it interfaces these people optimally with its mainstream operations (the whole "executive project sponsorship" thing is very political), but it has a great basis.

    • I agree, but my first thought was that Microsoft produces more software than Google and Mozilla combined, which creates a much larger footprint for vulnerability. This, combined with the fact that some of their software is supported for up to 13 years after it's released (Windows XP), means that it very well would cost them a fortune. And by the time they stop supporting their software, attacks which never existed in anyone's wildest wet dreams have appeared, and the 12-year-old software wasn't designed a

    • by guruevi (827432)

      Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible, they work with law enforcement and sometimes even criminals to secure both their physical as well as their virtual systems.

      What Microsoft needs is first of all a restructuring of the organization - it's hemorrhaging cash, talent and image. Then they need to rewrite Windows and have a transition period where the old is virtualized much like Apple did with Mac OS X a decad

      • by dkleinsc (563838)

        Banks do people that find ways to get in their vault legally. They hire people to penetrate (har, har) their security in any way possible ...

        The first sentence was a rather nice bit of unintentional humor.

        But your point is well-taken: the whole concept of penetration testing was originally taken from the military, which also hires teams to see if they can break their security and leave notes like "code books stolen" if they succeed.

      • They hire people to penetrate

        Indeed. They pay people to do it, not because they've already done it. ;-)

        Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date

        The NT kernel as a bastard stepchild of VMS is really not the cause of any unique-to-MS problems, and MS are experimenting with a major rewrite with Midori if that's really what you're looking for.

        NT was the step up from DOS-3.1-95-98-ME becoming mainstream just a little before OS X superceded OS 9 - OS X itself being mostly NeXT work, in turn Mach + BSD + ObjC - in turn standard microkernel theory + Unix + Smalltalk. It's all a nice

      • Ballmer is one of the last dinosaurs in that organization that thinks a VMS-based operating system is still up-to-date, just about anyone else in the industry has gone through major rewrites of their systems.

        Thank you, this sentence made me laugh so hard. It's wrong on so many levels I don't even know where to start with correcting you.

    • Microsoft - employs some of the brightest and best programmers and designers in the world

      Has an entire research arm dedicated to improving their products

      Has teams of testers to test and find bugs ... ...and still produces bug ridden, vulnerable software, that is outdesigned by the competition

    • by SheeEttin (899897)

      They're right. Banks don't pay people who find ways to get into their vaults.

      Uh, yes, they do.
      Well, maybe not the banks themselves, especially not smaller banks, or really any, these days (too little money actually on hand to be worth it), but it's called "penetration testing". I'm sure the vault manufacturers (or whatever they're called, I suspect most vaults are custom-made) are continually thinking of ways that they could be broken into. (Or at least they should be. Wouldn't be a very good company to s

      • Perhaps I was too ambiguous with my language. I felt otherwise, but sometimes I guess I overdo it on the nuance.

        I said: Banks don't pay people who find ways... (cheekily nonrestrictive "who")

        I did not say: Banks don't pay people to find ways...

        IOW, banks don't pay people just because they happen to find ways. In general, banks don't pay money to random people on the street, and the person on the street who makes a hobby of finding ways is no exception. They instead pay selected people specifically to go abo

  • Microsoft will always sit in the highest thrown when it comes to web browser software insecurity because of that very reluctancy to not only seek white-hat/community researcher help in vulnerability assessments and testing, but also because they are too bottom-line driven to see past it.

    We all have an good idea what the average annual salaries some Microsoft employees get paid and up to $3K is a drop in the bucket for someone who will willingly take hours, weeks, months or longer to find a something that wi

    • by AHuxley (892839)
      It goes back to the mind set in their past. IBM gave MS the future of the desktop and from that point it was an endless need to expand and kill.
      Code reviews are expensive when you have removed a market segment and face zero competition in the short or long term.
      The cash and skill sets are needed for the next area of threat or opportunity.
      They also need to make sure the next version does not face a near perfect last version.
      Microsoft has no need to never listen to bugs/needs/questions/comments on past is
    • by mcgrew (92797) *

      Microsoft will always sit in the highest thrown

      Dew knot truss yore spill chucker.

      • by adosch (1397357)
        You mean grammar checker, right? Should I go as far as mentioning that it was homonym issue? Grab your crayons and go back to your cave, troll.
        • by mcgrew (92797) *

          No, I mean spellchecker. Yes, it was a homophone issue. Your spell checker isn't going to catch homophone errors, and people blindly rely on them without proofreading what they write. I ain't got no problem with bad grammar, but I do have a problem with semiliteracy on a nerd site.

          Now go away, son, and let the grownups continue the discussion.

          • by adosch (1397357)

            Continue the off-topic spell-check fetish discussion you provoked or talk about the actual article topic?

            You need to stop reading dictionaries for fun, and wasting your employers time. So I used a word wrong in a context. Sounds like you were going to loose enough sleep over it tonight to waste your time brewing up such a childish debate. I can, for sure, tell you anything you replied to in the context of my original post has been nothing more than drivel and off-topic at the very least. Get a life. A

            • by mcgrew (92797) *

              Sounds like you were going to loose enough sleep over it

              LOL, what a fucking illiterate moron. WTF are you doing here, boy?

  • This is bad logic, ivory tower thinking even, they are assuming the entire ecosystem will have their chosen set of corp centric values. You would think they would have learned otherwise by now!

    Vulnerabilities will be discovered, sometimes by multiple independent parties. These vulnerabilities are either going to be sold, exploited selectively (corp esp against a chosen target), exploited publicly, reserved for future use or given to the vendor.

    The responsible thing is to try to move as many to the latter as

  • by bsDaemon (87307) on Friday July 23, 2010 @08:56AM (#33001868)

    ... they were reminded that the user is the biggest security threat to any system. Upon considering their market share they realized how potentially disastrous this would be once anyone with a phone book figured it out.

  • by Anonymous Coward

    ...they've spent all their surplus cash paying people who forward Bill Gate's email message to 25 other people.

  • We all know that security researchers are drama queens. As soon as they find a bug, they want to get a bull-horn out and start crowing about it.

    Microsoft on the other hand says that if you don't keep it secret for months or even years then you are a bad person and will try to get you fired.

    What they should do is just pay a $100 per day for keeping it secret until the bug is fixed. That way even if you don't get bragging rights, you get a pay check.

    Signing a non-disclosure agreement like this is pretty no

  • So Microsoft is saying that people should voluntary and collectively work on fixing and bettering software for free, without any compensation? Mmmm... [theregister.co.uk]

    • by Blakey Rat (99501)

      First of all, I'm not going to read The Register.

      Secondly, no, Microsoft is not saying that. You're being purposefully dense to make some kind of stupid Communist reference.

      People *already* find bugs in Microsoft products without any compensation. Microsoft never asked these people to work on "fixing and bettering" ("bettering?") software, they took it upon themselves.

      Basically, Microsoft's saying: "if you want to help us out without us asking, then go ahead. But don't expect us to pay you for it." Which ma

      • "You're being purposefully dense..."

        Actually I was making a joke which apparently went way over your head. Or underneath. I don't really know what sort of shoes you're wearing.

        "And look at it realistically..."

        Yeah, let's analyze a joke realistically. That's a great idea. All jokes should stand up to rigorous a priori and a posteriori scrutiny.

  • I think the money is better spent on hiring/training more developers/testers than throwing it away on some wild west style campaign to weed bugs. Besides they would get swamped with thousands of duplicate or non existent bugs because SOMEONE WAS DOING IT WRONG, not to mention the "i found it first" and other related lawsuits. Waste of time and money for everyone and you and I the consumers won't benefit one bit. Finding a bug != fixing a bug.

    • Re: (Score:3, Interesting)

      by drinkypoo (153816)

      I think the money is better spent on hiring/training more developers/testers than throwing it away on some wild west style campaign to weed bugs.

      This is a false dichotomy. They have lots of other options, for example they could throw the money down the hole that is Microsoft's entertainment division, which has so far lost them billions of dollars.

  • ...and after careful appraisal we've decided that its net value to us is negative several million dollars. It would be way more, but we've already lowered expectations to the point where vulnerabilities barely register on customers' perceptions. And what are they doing to do: uninstall the OS that came 'free' with their hardware? Train their moron users on some hippyware like Lunix, or pay a premium for Apple boxes rather than buy discounted Dells? Ahahah, look, people are still buying Dells - these cre
  • Microsoft already have more bugs than they know what to do with. They don't need people reporting more :-)
  • The reality is that $3000 for a really good exploitable bug is cheap.

    And most companies paying bounties won't pay you for a DoS you found in e.g. Chrome in 2H spare time, and only if you're lucky for things like data leak.
    They're only going to pay for sure if you deliver a full blown with proof of concept and completely documented exploit that let you take over a system.

    But here's the trick! Not only those take a long while to do, even for the skilled engineer (heck writing docs and stuff sucks), but $3000

    • To be slightly more on topic I'll add to that that Microsoft is the number ONE target and thus get a lot of bugs discovered for free. Bounties might have a small effect (partly due to what I explained before, since eventually a friend will want the $3000 right?), but certainly the small effect is more important for software companies with a lesser market share.

      Take Apple for example, they'll never pay bounties (heck, those guys don't even put credits if you're not a big guy, they don't *even* mention the vu

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Someone please mod this guy up to the top of the page.

      Good exploits are being sold on the black market for $10,000 and more without the NDA shit. Unless you are very moral there is no incentive to report your discoveries to vendors at all!

  • Researcher: I want $3000 like Google and Mozilla pay.
    Microsoft Representative: No.
    Researcher: $2000?
    Microsoft Representative: No.
    Researcher: Could I at least meet Bill Gates?
    Microsoft Representative: *sigh*No, anything else?
    Researcher: Uhm... lapdance?
    Microsoft Representative: Ok fine, we will pay you one lapdance or hentai dvd per bug. That is my only and final offer.
    Researcher: DEAL!
  • There are various 3rd party research groups that you can sell your exploits too for money. They are legal, moral and assist the targeted companies in getting them fixed (and providing emergency fixes to their clients)...

    This doesn't help too much when you find a non-exploitable bug though, or are we only talking about exploitable ones?
  • by jhoegl (638955) on Friday July 23, 2010 @11:14AM (#33003328)
    I think it ironic that Microsoft is so hard core about capitalism and "paying for software", yet they will not reward those that find bugs. I mean bug finders did the hard work, they tested and retested to prove their theory, and Microsoft wants them to give it to them for free? Oh that is not even the best part. I went to report a bug to MS over the phone guess what they wanted, down payment. You know... just in case it wasnt a bug.
  • "the motivations aren't always financial" is a phrase I've heard before -- mostly from HR departments. It means someone who doesn't care about the product, but rather about making his/her departmental bottom like is running things.

    Money never hurts, and moves mountains. Yes, some people do it for free. More people will do it if there's cash. This means Microsoft either wants to:

    1. save money (unlikely, but possible at a departmental level)
    2. not find bugs (likely -- they ta

  • It's always struck me that vendors ought to be paying researchers for the time they spend working with the vendor to help get a bug fixed, rather than a flat rate for finding a bug. i don't think vendors have any obligation to pay people who find security vulnerabilities for the time they spent finding the bug, but if they want a research to spend time documenting and explaining the bug so they can fix it then they need to compensate that researcher. If there is a flat bounty rate, the researcher can decide

  • Here's a TED talk that could be applied to this situation in support of Microsoft's decision: YouTube - Clay Shirky: How cognitive surplus will change the world [youtube.com]
  • Xbox Achievement Points!!
  • ...from the company that used to charge YOU a huge bill for the "privilege" of sending bug reports?

One man's "magic" is another man's engineering. "Supernatural" is a null word. -- Robert Heinlein

Working...